Headline
CVE-2023-32700: luatex-1.17.0 update - tex-live mailing list
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
- Archives for this list.
- More information about this list, or all TUG lists (or TUG home page).
Karl Berry karl at freefriends.org
Tue May 2 23:26:29 CEST 2023
- Previous message: [EXT] Explanation about update to luatex received via tlmgr
- Next message: luatex-1.17.0 update
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
FYI: some issues have been found in luatex (obscure ways to work around some security features; thanks to Max Chernoff). Luigi has committed fixes to the sources, and we are rebuilding now. The new luatex version is 1.17.0. All four luatex binaries (luatex luahbtex luajitex luajithbtex) are affected. The different platforms will come in as the respective builders have time; so far, x86_64-linux and *-netbsd have been updated.
The change that’s most likely to be noticeable is that the socket library is now disabled by default; a new option --socket enables it, as well as --shell-escape (not --shell-restricted). In addition, the mime library is now always available, and new functions os.socketsleep and os.socketgettime are also always available. I will put a more detailed summary at https://tug.org/texlive/bugs.html after the binaries are committed.
The new binaries do not, so far as I know, even require a .fmt rebuild, though tlmgr will make that happen anyway as a matter of course with a normal installation.
Good luck to us all, Karl
- Previous message: [EXT] Explanation about update to luatex received via tlmgr
- Next message: luatex-1.17.0 update
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the tex-live mailing list.
Related news
Red Hat Security Advisory 2023-3661-01 - The texlive packages contain TeXLive, an implementation of TeX for Linux or UNIX systems. Issues addressed include a code execution vulnerability.
Ubuntu Security Notice 6115-1 - Max Chernoff discovered that LuaTeX did not properly disable shell escape. An attacker could possibly use this issue to execute arbitrary shell commands.
Debian Linux Security Advisory 5406-1 - Max Chernoff discovered that improperly secured shell-escape in LuaTeX may result in arbitrary shell command execution, even with shell escape disabled, if specially crafted tex files are processed.